Protecting Privacy of Smart-Card Data

By Rob Fixmer  |  Posted 2002-01-14

In a recent column, I brought down a hailstorm of protest by asserting that a voluntary national ID was all but inevitable in a shrinking world full of growing perils.

Predictably, the theme of the responses was a deep distrust of government. While some letters were rife with the vitriol of political extremists, many were well-reasoned.

There is no question that the potential for government surveillance of citizens is very real and requires vigilance.

But as I read Nancy Gohrings report on smart cards for this issues InteractiveWeek, I was struck by a disturbing paradox. Many of those who see government as the enemy insist that the private sector be entrusted to mandate and provide secure identification as needed. Yet, as smart cards, combined with biometrics and proximity technologies, move rapidly into the private sector, the potential for mischief on corporate campuses looms just as great as the threat of government surveillance abuse.

At least we have some nominal power over government. Though the control elected officials wield over the activities of intelligence and police agencies is unreliable, government can be held publicly accountable. Thats not true of the private sector. For example, Microsoft and Sun use smart cards to authorize employee access to and within campus buildings. As this benign use of the technology spreads into other aspects of management and business practices, the potential for unwarranted surveillance of employees, business partners, suppliers, service providers and others will balloon.

Many IT personnel privately express concern about being held responsible for monitoring employees e-mail and tracking their Web surfing. Combine these policies with the highly invasive potential of smart cards, and IT departments will become mini-FBIs.

And what of consumers? Airlines are all but certain to begin introducing smart ID cards, starting with frequent flyers, in the next 18 months. Does anyone believe they will build a firewall between security personnel and their marketing departments? How long will it take financially strapped airlines to start peddling this data to travel agencies, hotels, car rental companies and all manner of tourist destinations? Smart cards issued by HMOs and insurance companies pose even greater threats.

The only way to limit smart-card abuse will be government regulation. With that regulation will come the temptation for government to peek at smart-card data, just as the FBI today is demanding access to cell phone location data and encryption keys. The solution is not to trust government blindly but to become better citizens, more knowledgeable about and involved in the technology issues that will delineate our freedoms in years to come.

Is there a better approach? Tell me why at

Rocket Fuel